How private are direct messages on Mastodon / Infosec.Exchange?

I heard that DMs are public or are accessible to admins in Mastodon. What gives?

Twitter includes the concept of Direct Messages (DMs) which effectively created a separate and non-public channel for discussion.

Mastodon doesn't have the same concept of direct messages. However, in Mastodon, messages can be set to private so that the only the accounts tagged in the message can see them.

A Mastodon private post is like a whispered conversation in public: it's likely that only the intended recipient will get your message, but Mastodon private messages are not suitable for conversations which must remain strictly confidential.

It is true that a bored server admin that hosts one of the recipients of the private message could search the database to find the private message. However, this is not different than most other services, including Twitter.

If you tag (i.e., @mention) a user within a private message thread, they will automatically be included in that thread and able to see the message. If you only wish to mention a user in the conversation without including them in it, do not tag/@mention them!